I would like to know all the permissions a windows domain user have in my network. Is there a way, with a script file or a tool, that can extract this kind of information by checking all the servers and computers in my network? I'm on a Microsoft network with Windows Server 2008 R2, Windows XP, Windows 7.

The report should include these kind of informations:

report all permissions that the domain user have (read, write, etc...)

if the domain user is in a domain group, tell me the permissions that this group have in my network

Apart from the obvious - that this is insanely expensive in a 1000+-server domain - you would need to script something that retrieves all machines from AD and then iterate over them with an administrator account that has the rights to view all permissions of all filesystem objects.

it might be insane when you think about it but we have ~300 desktop computer with ~20 servers. Since that the older administrator used bad practices by giving access to users directly and not using groups, i need something to help me cleaning the network. I guest that the tool could have the option to include or exclude desktop computers or to put a list of IP that i want to scan.
–
Alexandre JobinApr 2 '12 at 15:58

Data Intelligence - Analyze who is accessing and using data and how often to help determine data retention policies for archiving and deleting unused data.

Access Insight - Produce intelligent reports for business owners to clearly show who is controlling and accessing the data, who the owner is, or to suggest potential owners to help initiate an attestation process for compliance.

Data Control - Secure access to data, files and shares so that sensitive information is accessed only by those with a business need.

Compliance Accountability - Assign ownership of all data to the appropriate business owners for accountability and compliance reporting.

Access Activity - Identify and monitor key data to track all access, including details such as who accessed the data and when, and retain the details in log form.

As @adaptr says this could be really expensive if not impossible. Unless... You have to make an organizational commitment to NEVER put a UserID directly into a ACL. Use Groups for everything. If you do that, then you simply make a list of the groups a person is a member of and what those groups grant access to.

In our environment we have three groups for every share Share_Read, Share_Write and Share_Admin. We never add a individual account to a share EXCEPT their Home share.

You are right when you say that a user should'nt have access directly to something but use a Group that have access. But i have to work with what i have in place and the other administrator have used some bad practices so i have to live with that. But how to know what a group have access to is the same thing as asking what the user have access to don't you think? Or maybe i'm wrong?
–
Alexandre JobinApr 2 '12 at 15:51

I appreciate you have to play the hand that was dealt. Our point is that trying to build a script to report access is almost impossible. If you take a methodical approach like I describe, then you only need to review group memberships to see who has access. Then, regularly dump ACls to ensure only groups are in them. No need to search across every ACL to see who has access to what.
–
uSlackrApr 2 '12 at 16:41

There is no magic tool that scan everything. Because scanning all resource IT can go much further than file share:

SharePoint Access

Exchange access

SQL Access

And all others, including not MS products...

Best practice is to avoid direct access based on user account (as said by others), and manage request as tickets (through a ticketing tool) so you can trace request intead of diving the real system matrix.

i havent had a chance to test this product since that i've solved a part of my problem with AccessChk but it seems to be a great tool too. Thank you for sharing this!
–
Alexandre JobinApr 3 '12 at 19:38